This document provides a response to a Request for Proposals (RFP) from the City of New Orleans for an information security and cybersecurity program. The response includes: research on the firm's qualifications; data analysis including RFP clarification questions and a review of technical requirements; a solution design outlining benefits of recommendations and a phased project approach; and an evaluation design with a high-level project plan outline. The response demonstrates the firm's capabilities and provides details on its proposed methodology to address the RFP requirements.
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
Invited speaker: "Growing Trend of Finding Regulatory and Tort Liability for Cyber Security Breaches ”
with Mark W. Ishman, J.D., Masters in Law in Information Technology and Privacy Law
In this presentation we will look at the cause and effect of the problem, analyze preparedness and learn how you can better prepare, detect, respond and recover from cyber-attacks.
Presentation to (ISC)2 Omaha-Lincoln Chapter meeting on March 15th, 2017. This presentation looks at managing compliance with multiple cybersecurity laws and regulations across different industries using the NIST Risk Management Framework.
Data Confidentiality, Security and Recent Changes to the ABA Model Rulessaurnou
Continuing legal education (CLE) presentation regarding data confidentiality, information security, computer forensics and legal ethics in light of technology-related changes made to the American Bar Association's Model Rules of Professional Conduct.
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & PrivacyButlerRubin
Butler Rubin Partner, Dan Cotter discusses in detail the changes to the Model Rules of Professional Conduct that impact lawyers and their obligations to understand technology and safeguard against inadvertent data breaches.
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
Invited speaker: "Growing Trend of Finding Regulatory and Tort Liability for Cyber Security Breaches ”
with Mark W. Ishman, J.D., Masters in Law in Information Technology and Privacy Law
In this presentation we will look at the cause and effect of the problem, analyze preparedness and learn how you can better prepare, detect, respond and recover from cyber-attacks.
Presentation to (ISC)2 Omaha-Lincoln Chapter meeting on March 15th, 2017. This presentation looks at managing compliance with multiple cybersecurity laws and regulations across different industries using the NIST Risk Management Framework.
Data Confidentiality, Security and Recent Changes to the ABA Model Rulessaurnou
Continuing legal education (CLE) presentation regarding data confidentiality, information security, computer forensics and legal ethics in light of technology-related changes made to the American Bar Association's Model Rules of Professional Conduct.
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & PrivacyButlerRubin
Butler Rubin Partner, Dan Cotter discusses in detail the changes to the Model Rules of Professional Conduct that impact lawyers and their obligations to understand technology and safeguard against inadvertent data breaches.
An Overview of the Major Compliance RequirementsDoubleHorn
In this blog, we will explore some of the US government’s compliance standards that are helpful for many federal, state and local agencies while procuring technology and related services.
Privacy and Data Security: Minimizing Reputational and Legal RisksTechWell
Privacy and data security are hot topics among US state and federal regulators as well as plaintiffs’ lawyers. Companies experiencing data breaches have been fined millions of dollars, paid out millions in settlements, and spent just as much on breach remediation efforts. In the past several years, data breaches have occurred in the hospitality, software, retail, and healthcare industries. Join Tatiana Melnik to see how stakeholders can minimize data breach risks, and privacy and security concerns by integrating the Privacy by Design Model into the software development lifecycle. To understand how to minimize risks, stakeholders must understand the regulatory compliance scheme surrounding personally identifiable information; the Privacy by Design approach and the Federal Trade Commission’s involvement; and enforcement actions undertaken by federal agencies, State Attorneys’ General, and class action suits filed by plaintiffs.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
What Is Security Risk Analysis? By: MedSafeMedSafe
What exactly is a Security Risk Analysis? Most practices ask, we deliver. This presentation covers all you should be concerned with. Go to www.MedSafe.com for more information!
Identifying Code Risks in Software M&AMatt Tortora
Strategic fit and table stakes KPIs aren't the only things acquirers evaluate during the software M&A process. A software code review is one of the many components that is often overlooked by sellers.
Cyber Liability Coverage in the Marketplace with Dan CotterButlerRubin
Butler Rubin partner Daniel A. Cotter discussed the Model Rules of Professional Conduct (RPCs) as they relate to lawyers’ technology obligations at the National Association of Bar Related Insurance Companies (NABRICO) 2017 Annual Conference hosted by ISBA Mutual in Chicago, IL. Dan joined a panel of experts including Michael Hannigan (Konicek & Dillon), Alex Ricardo (Beazley Group), and Daniel Zureich (Lawyers Mutual Insurance Company of North Carolina) to discuss, “Cyber Liability Coverage in the Marketplace.” Dan emphasized the need for the insurers to consider what the reasonable standard is for lawyers and to help frame the answer. Dan also addressed some recent cyber-related decisions and cases pending.
For more information on developments in the cyber insurance and privacy areas, contact Dan Cotter (dcotter@butlerrubin.com).
Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...EMC
This white paper presents Beehive, a novel system that attacks the problem of automatically mining and extracting knowledge from the dirty log data produced by a wide variety of security products in a large enterprise.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...ZoneFox
ZoneFox is an award winning market leader in User Behaviour Analytics, providing critical insights around data-flow that you need to secure against the Insider Threat.
An Overview of the Major Compliance RequirementsDoubleHorn
In this blog, we will explore some of the US government’s compliance standards that are helpful for many federal, state and local agencies while procuring technology and related services.
Privacy and Data Security: Minimizing Reputational and Legal RisksTechWell
Privacy and data security are hot topics among US state and federal regulators as well as plaintiffs’ lawyers. Companies experiencing data breaches have been fined millions of dollars, paid out millions in settlements, and spent just as much on breach remediation efforts. In the past several years, data breaches have occurred in the hospitality, software, retail, and healthcare industries. Join Tatiana Melnik to see how stakeholders can minimize data breach risks, and privacy and security concerns by integrating the Privacy by Design Model into the software development lifecycle. To understand how to minimize risks, stakeholders must understand the regulatory compliance scheme surrounding personally identifiable information; the Privacy by Design approach and the Federal Trade Commission’s involvement; and enforcement actions undertaken by federal agencies, State Attorneys’ General, and class action suits filed by plaintiffs.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
What Is Security Risk Analysis? By: MedSafeMedSafe
What exactly is a Security Risk Analysis? Most practices ask, we deliver. This presentation covers all you should be concerned with. Go to www.MedSafe.com for more information!
Identifying Code Risks in Software M&AMatt Tortora
Strategic fit and table stakes KPIs aren't the only things acquirers evaluate during the software M&A process. A software code review is one of the many components that is often overlooked by sellers.
Cyber Liability Coverage in the Marketplace with Dan CotterButlerRubin
Butler Rubin partner Daniel A. Cotter discussed the Model Rules of Professional Conduct (RPCs) as they relate to lawyers’ technology obligations at the National Association of Bar Related Insurance Companies (NABRICO) 2017 Annual Conference hosted by ISBA Mutual in Chicago, IL. Dan joined a panel of experts including Michael Hannigan (Konicek & Dillon), Alex Ricardo (Beazley Group), and Daniel Zureich (Lawyers Mutual Insurance Company of North Carolina) to discuss, “Cyber Liability Coverage in the Marketplace.” Dan emphasized the need for the insurers to consider what the reasonable standard is for lawyers and to help frame the answer. Dan also addressed some recent cyber-related decisions and cases pending.
For more information on developments in the cyber insurance and privacy areas, contact Dan Cotter (dcotter@butlerrubin.com).
Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...EMC
This white paper presents Beehive, a novel system that attacks the problem of automatically mining and extracting knowledge from the dirty log data produced by a wide variety of security products in a large enterprise.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...ZoneFox
ZoneFox is an award winning market leader in User Behaviour Analytics, providing critical insights around data-flow that you need to secure against the Insider Threat.
Recent changes in conveyancing transactions in South AustraliaThomas Brown
As you may be aware, there have been some major changes and developments in the conveyancing arena in South Australia. The Real Property (Electronic Conveyancing) Amendment Act 2016 came into effect as of Monday 4 July 2016.
An piece I wrote for a series of articles that were published in Quarter Horse News, a bi-monthly news magazine produced by Cowboy Publishing, a division of Morris Communications.
ISE 620 Final Project Guidelines and Rubric Overview .docxchristiandean12115
ISE 620 Final Project Guidelines and Rubric
Overview
The final project for this course is the creation of a security posture and response analysis report.
With the explosion of the internet, we are living in a world with no boundaries. Organizations rely on e-commerce as a huge portion of their business models.
With a move to more internet-based commerce and banking, there has been an increase in security threats, network penetrations, and intrusions. Information
systems have inherent weaknesses and can be vulnerable to attacks from internal users, external customers, and anyone intending on malicious activity. This is
why security incident detection and response has become an integral component of information technology programs; businesses and organizations must be
able to handle security incidents effectively and efficiently. To this end, your final project will provide you with the opportunity to report on the detection of and
response to an information security incident of a potential client.
For the final project, imagine that you are a cybersecurity consultant working for Business Secure, a fictitious cybersecurity firm. Business Secure has been
approached by Health Network Inc. (HealthNet), a fictitious health services organization. HealthNet would like Business Secure to develop a request for proposal
(RFP) based on HealthNet’s security needs. To support the creation of this RFP, the practice director has gathered key details from HealthNet and has tasked you
with conducting a review of these materials and formulating your opinions and preliminary recommendations within a security posture and response analysis
report.
To develop this report, you will need to begin by conducting a comprehensive review and evaluation of the Project Plan Backgrounder document, which provides
an overview of the company and details its cyber policies and procedures. With preliminary security assessments already completed and provided to you by the
practice director, you will also review a Nessus scan and Snort report as well as HealthNet’s policies and procedures:
Incident Handling and Response Procedures
Incident Detection and Response Policy
Electronic Password and Authentication Policy
Some external regulatory research on HealthNet’s industry sector will also be needed for providing compliance and regulatory assessment analysis for the
organization. Keep in mind that while your report will evaluate all of HealthNet’s policies and security measures, you will only select one corporate office to
focus on for state legislation: California (HQ), Illinois, Nevada, Oregon, or Washington State. The larger RFP objective is to provide preliminary recommendations
to HealthNet on notification and escalation improvements, stakeholder identification, and recovery and general remediation for the network. Review the
provided Project Plan Backgrounder document for the expected final report design.
The project is divi.
Module 02 Performance Risk-based Analytics With all the advancemIlonaThornburg83
Module 02 Performance Risk-based Analytics
With all the advancements in technology and encryption levels, some methods are faster or slower than others. In most cases a cybersecurity professional must weigh cost, performance, and security. Risk is a powerful tool used by all cybersecurity professionals to assist in making these decisions, and in influencing appropriate stakeholders by providing appropriate information with regard to these three elements.
Risk analysis or risk base analytics helps determine the level of risk to an organization. The first step in this process is to determine the sensitivity of the data being processed. The example below is a common data classification for many organizations; however, depending on how the data will be used, these data fields may vary due to classification levels.
· Public: Data available to the general public and approved for distribution outside the organization.
· Examples: press releases, directory information (not subject to a government regulations or blocks), product catalogs, application and request forms, and other general information that is openly shared. The type of information an organization would choose to post on its website offers a good example of Public data.
· Internal: Data necessary for the operation of the business and generally available to all internal users, users of that particular customer, and potentially interested third-parties if appropriate and when authorized.
· Examples: Some memos, correspondence, and meeting minutes; contact lists that contain information that is not publicly available; and procedural documentation that should remain internal.
· Confidential: Data generally not made available outside the organization and the unauthorized access, use, disclosure, duplication, modification, or destruction of which could adversely impact the organization and/or customers. All confidential information is sensitive in nature and must be restricted to those with a legitimate business need to know.
· Examples:
· Information covered by the Family Educational Rights and Privacy Act (FERPA), which requires protection of records for current and former students. This includes pictures of students kept for official purposes.
· Personally identifiable information entrusted to the organization’s care that is not restricted use data, such as information regarding applicants, donors, potential donors, or competitive marketing research data.
· Information covered by the Gramm-Leach-Bliley Act (GLB), which requires protection of certain financial records.
· Individual employment information, including salary, benefits and performance appraisals for current, former, and prospective employees.
· Legally privileged information.
· Information that is the subject of a confidentiality agreement.
· Restricted: Data that MUST be specifically protected via various access, confidentiality, integrity and/or non-repudiation controls in order to comply with legislative, regulatory, con ...
Application security Best Practices FrameworkSujata Raskar
“Making web applications safe is in the best interest of all organizations and the general economy. Providing a clearly defined set of web application security best practices will advance security professionals’ ability to anticipate and rapidly address potential threats to their enterprise.” -Yuval Ben-Itzhak, CTO and Co-Founder KaVaDo
New Ohio Cybersecurity Law RequirementsSkoda Minotti
Skoda Minotti’s Risk Advisory Services Group and Insurance Services Group are working closely with insurance industry licensees to meet the considerable requirements under the Ohio cybersecurity law. This presentation provides more detailed information about the law, and assists you with your understanding and implementation of the requirements.
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxchristiandean12115
ISE 510 Final Project Scenario Background Limetree Inc. is a research and development firm that engages in multiple research projects with the federal government and private corporations in the areas of healthcare, biotechnology, and other cutting-edge industries. It has been experiencing major growth in recent years, but there is also a concern that information security lapses are becoming rampant as the company grows. Limetree Inc. is working to establish a strong reputation in the industry, and it views a robust information security program as part of the means to achieving its goal. The company looks to monitor and remain compliant to any regulation impacting its operations.
Limetree Inc. recently experienced a security breach; it believes confidential company data has been stolen, including personal health information (PHI) used in a research study. Limetree Inc. believes the breach may have occurred because of some security vulnerabilities within its system and processes.
Limetree Inc.’s virtual environment is presented in the Agent Surefire: InfoSec educational video game. The rest of the environment is presented via an interview with the security manager, Jack Sterling.
Highlight of Interview with Jack Sterling
Interview with Jack Sterling revealed the following about Limetree Inc.’s system and processes:
Hardware/Software:
Desktop Apps: Internet Explorer, Firefox, Google Chrome, MS Office, Adobe Flash, Adobe Acrobat
Applications/Databases:
Browser – Browser in use is Internet Explorer and browser security setting was set to low. Browsers allow remote installation of applets, and there is no standard browser for the environment.
Virus Software – MacAfee is deployed locally on each user's machine and users are mandated to update their virus policy every month.
SQL Database – Ordinary users can escalate privilege via SQL Agent. Disk space for SQL database log is small and is overwritten with new information when it is full. Limetree Inc. is not using any encryption for sensitive data at rest within the SQL server environment.
Network:
The network comprises the following: three web/applications servers, three email servers, five file and printer servers, two proxy servers, seven remotely manageable Cisco switches, 250 desktops, three firewall devices, one gateway (router) device to the internet, and three wireless access points.
Configuration Highlights:
Wireless – Wireless network is available with clearly advertised SSID, and it is part of the local area network (LAN). There is no segmentation or authentication between the wireless and wired LAN. Visitors are provided access code to the wireless network at the front desk to use the internet while they wait to be attended to.
Managed switches – There is no logging of network activities on any of the switches.
Web server – Public-facing web server is part of the LAN. This is where internet users get needed information on the company. The web servers are running the f.
Project 6 - Cloud Computing Security PolicyThis week you will pr.docxanitramcroberts
Project 6 - Cloud Computing Security Policy
This week you will prepare a cloud security policy. The first CIO of the US mandated that cloud services be implemented in organizations whenever possible. Review the scenario below and prepare a cloud security policy for the organization. Complete the following section readings from “
Challenging Security Requirements for US Government Cloud Computing Adoption,”
NIST Cloud Computing Public Security Working Group, NIST Cloud Computing Program,
Information Technology Laboratory, sections 1.1, 1.3, 1.6, 1.8, and 1.9;
prior to starting your work on the policy:
PROCESS-ORIENTED SECURITY REQUIREMENTS
1.1 NIST SP 800-53 SECURITY CONTROLS FOR CLOUD-BASED INFORMATION SYSTEMS: page 10
1.3 CLOUD CERTIFICATION AND ACCREDITATION: page 17
1.6 CLARITY ON CLOUD ACTORS SECURITY ROLES AND RESPONSIBILITIES: page 27
1.8 BUSINESS CONTINUITY AND DISASTER RECOVERY: page 31
1.9 TECHNICAL CONTINUOUS MONITORING CAPABILITIES: page 34
Background
:
A small non-profit organization (SNPO-MC) has received a grant which will pay 90% of its cloud computing costs for a five year period. But, before it can take advantage of the monies provided by this grant, it must present an acceptable cloud computing security policy to the grant overseers.
Tasking
:
You are a cybersecurity professional who is “on loan” from your employer, a management consulting firm, to a small non-profit organization (SNPO-MC). You have been tasked with researching requirements for a Cloud Computing Security Policy and then developing a draft policy for the non-profit organization, SNPO-MC. The purpose of this policy is to provide guidance to managers, executives, and cloud computing service providers. This new policy will supersede (replace) the existing Enterprise IT Security Policy which focuses exclusively upon enterprise security requirements for organization owned equipment (including database servers, Web and email servers, file servers, remote access servers, desktop computers, workstations, and laptop computers) and licensed software applications. The enterprise IT security policy also addresses incident response and disaster recovery.
As part of your policy development task you must take into consideration the issues list which was developed during brainstorming sessions by executives and managers in each of the three operating locations for the non-profit organization.
Your deliverable
for this project is a 5 to 8 page, single spaced, professionally formatted draft policy. See the following resources for suggested formats.
https://it.tufts.edu/cloud-pol
https://www.american.edu/policies/upload/IT-Security-Policy-2013.pdf
Organization Profile
:
The organization is headquartered in Boston, MA and has two additional operating locations (offices) in New Orleans, LA and San Francisco, CA. Approximately 50 employees work in a formal office setting at one of these locations. These employees use organization owned IT equipment. The remaining.
Businesses involved in mergers and acquisitions must exercise due di.docxdewhirstichabod
Businesses involved in mergers and acquisitions must exercise due diligence in ensuring that the technology environment of the future organization is robust and adequately protects their information assets and intellectual property.. Such an effort requires time and open sharing to understand the physical locations, computing environment, and any gaps to address. Lack of information sharing can lead to a problematic systems integration and hamper the building of a cohesive enterprise security posture for the merged organization.
Often the urgency of companies undergoing a merger and acquisition (M&A) impedes comprehensive due diligence, especially in cybersecurity. This creates greater challenges for the cybersecurity engineering architect, who typically leads the cybersecurity assessment effort and creates the roadmap for the new enterprise security solution for the future organization. However, the business interest and urgency in completing the merger can also represent an opportunity for CISOs to leverage additional resources and executive attention on strategic security matters.
In this project, you will create a report on system security issues during an M&A. The details of your report, which will also include an executive briefing and summary, can be found in the final step of the project.
There are nine steps to the project. The project as a whole should take two weeks to complete. Begin with the workplace scenario and then continue to Step 1.
Deliverable
Cybersecurity for a Successful Acquisition, Slides to Support Executive Briefing
Step 1: Conduct a Policy Gap Analysis
As you begin Step 1 of your system security report on cybersecurity for mergers and acquisitions, keep in mind that the networks of companies going through an M&A can be subject to cyberattack. As you work through this step and the others, keep these questions in mind:
Are companies going through an M&A prone to more attacks or more focused attacks?
If so, what is the appropriate course of action?
Should the M&A activities be kept confidential?
Now, look at the existing security policies in regard to the acquisition of the media streaming company. You have to explain to the executives that before any systems are integrated, their security policies will need to be reviewed.
Conduct a policy gap analysis to ensure the target company's security policies follow relevant industry standards as well as local, state, and national laws and regulations. In other words, you need to make sure the new company will not inherit any statutory or regulatory noncompliance from either of the two original companies. This step would also identify what, if any, laws and regulations the target company is subject to. If those are different from the laws and regulations the acquiring company is subject to, then this document should answer the following questions:
How would you identify the differences?
How would you learn about the relevant laws and regulations?
How would .
CompTIA CySA Domain 3 Security Operations and Monitoring.pptxInfosectrain3
The CompTIA Cybersecurity Analyst+ (CySA+) certification exam requires you to know how to use tools and resources to monitor activities so that you can observe what’s going on and what the apps and users are doing, as well as how the system is working, and there are a variety of tools you may use to do so.
Six Keys to Securing Critical Infrastructure and NERC ComplianceLumension
With the computer systems and networks of electric, natural gas, and water distribution systems now connected to the Internet, the nation’s critical infrastructure is more vulnerable to attack. A recent Wall Street Journal article stated that many utility IT environments have already been breached by spies, terrorists, and hostile countries, often leaving bits of code behind that could be used against critical infrastructure during times of hostility. The U.S. Cyber Consequence Unit declared that the cost of such an attack could be substantial: “It is estimated that the destruction from a single wave of cyber attacks on U.S. critical infrastructures could exceed $700 billion USD - the equivalent of 50 major hurricanes hitting U.S. soil at once.”
Vulnerability and exposure of utilities’ critical infrastructures originate from the Supervisory Control and Data Acquisition (SCADA) and Distribution Automation (DA) systems that communicate and control devices on utility grids and distribution systems. Many of these systems have been in operation for years (sometimes for decades), and are not designed with security in mind. Regulatory bodies have recognized the many security issues to critical infrastructure and have begun to establish and enforce requirements in an attempt to shore up potential exposures. One such regulation is NERC CIP, which includes eight reliability standards consisting of 160 requirements for electric and power companies to address. And as of July 1, 2010, these companies must be “auditably compliant” or else they risk getting slapped with a $1 million per day, per CIP violation.
In this roundtable discussion, we will highlight:
• The security challenges facing utilities today
• The six critical elements to achieving economical NERC CIP compliance
• How utilities can secure critical infrastructure in today’s networked environment
1. City of New Orleans
Response for Proposals
Unit 10 Assignment 1: Team RFP Response Report
Delivery
INFORMATION SECURITY AND CYBERSECURITY
PROGRAM
IN PARTIAL FULFILLMENT OF THE REQUIREMENTS
FOR THE BACHELOR’S DEGREE
Submitted to:
ADVISOR, Mr. Evans
Submitted by:
Mark Milburn
ITT TECHNICAL INSTITUTE
ARLINGTON, TEXAS
May, 2016
2. Table of Contents
I. Research
i. Review of Firm’s Qualifications
II. Data Analysis
i. RFP Clarification Questions
ii. RFP Technical Requirements and Differences from Existing
Controls
iii. Data Privacy Legal Requirements as per RFP’s Compliance
iv. Data Protection and Privacy
v. Risk Assessment Project Plan Definition
vi. Risk Prioritization and Mitigation Project Plan Definition
vii. Risk Mitigation Actions Based on Qualitative Risk
Assessment’s Risk Prioritization
III. Solution Design
i. Benefits of Our Recommendations
ii. Data Privacy Legal Requirements as per RFP’s Compliance
iii. Procedure to Conduct a Security Assessment and Risk
Identification
iv. Data Security Mitigation Actions Based on Qualitative
Risk Assessment
v. Phased Project Approach and High-Level
Project Plan Including Prioritized Security
Controls
IV. Evaluation Design
i. Phased Project Approach and High-Level Project Plan Outline
ii. High-Level Description of Current Client’s Need
iii. IT Security Compliance and Governance Gap Analysis Plan
Outline
iv. Compliance Project Plan Definition
v. Disaster Recovery Plan Outline
vi. Business Continuity Plan Outline
V. Executive Summary
i. Layered Solution Executive Summary
3. I. Research
i. Review of Firm’s Qualifications
We have reviewed the vendor minimum requirements and would like to
provide a statement of our meeting of the RFP requirements.
Must be in business for at least the last five consecutive years: Telecon
Security Services Inc. has been in business now for ten years.
Report annual gross sales of at least one million U.S. dollars: Our
annual gross sales are currently $1.9 million dollars.
Present at least three references of previous engagements-within the
last three years-that are materially similar to the requirements contained
in this document: Telecon Security Services Inc. has won five major
contracts and ten small contracts in the last seven years for vulnerability
assessments and penetration tests.
Must have at least one person who will be a primary participant in
delivering products and services who holds a Certified Information
Systems Security Professional (CISSP), Certified Information Security
Manager (CISM), or equivalent: Our team of thirty-five employees
holds certifications in the areas asked. Of the nine employees that
work on the new prospective products and services, seven hold
Certified Information Systems Security Professional (CISSP)
certifications, six hold Certified Information Security Manager (CISM),
and seven hold Global Information Assurance Certification (GIAC)
4. and seven hold Security Essentials Certification (GSEC).
Cannot have any active managed security service provider contracts
with any other agency in this state: We do not have any active contracts
and are in the process of expanding our own business in the state of
New Orleans. We can provide samples of previous reports for other
clients that contain four of the five fields you requested:
Risk Assessment
Vulnerability Assessment
Penetration Testing
Business Continuity Plan/Disaster Recovery Plan (BCP/DRP)
Telecon Security Services Inc has identified gaps in two areas that the
state of minimum requirements request:
Must maintain at least one permanent office in this state: We are currently
looking to expand our business but have not yet decided on the best location for
our organization.
Provide previous reports for other clients for source code review: Security
Patching Inc. does not have the means to assess source code security and does
not employ development security specialist
5. II. Data Analysis
i. RFP Clarification Questions
After reviewing the RFP for technology consulting services, Telecon Security
Services Inc. has identified the following questions:
1. The scope of the RFP states the State wants a review of its entire system
security program. How many locations and agencies will this comprise of?
2. Task #1 asks Telecon Security Services Inc. to conduct a vulnerability
assessment for the State’s system. In order to do this properly Cyber-Link will
be conduction penetration testing. What limitations, if any, will Cyber-Link have
when it comes to performing penetration testing on the State’s systems?
3. Task #3 asks Telecon Security Services Inc. to provide training to State
employees. Should there be multiple levels of training for different types of
employees or more board training material that covers every user?
ii. RFP Technical Requirements and Differences from Existing Controls
After reviewing the RFP’s description of the current IT security policy and
technical description the following comparisons of the two descriptions have been
made, along with a list of differences and/or gaps.
Application Control - Current Gap
Media Disposal and Reuse - Current control calls for drives to be wiped by a tool
that wipes bit by bit and sanitizes the drive before it is given to a new user.
6. User Identification and Authorization - Current control calls for the users to have
a minimum of username and password with the correct access over network
resources.
User Privilege Control - Current Gap
User Account Lockout - Current control calls for multiple login attempts be
blocked after a certain amount of tries.
Mobile and Workstation Computing - Current control calls for protection from
unauthorized use, modification or destruction.
Mobile Computing - Current control calls for no saving of sensitive organizational
data and mobile workstations require full disk encryption.
Operating System Access Controls - Current Gap
Use of Shared Technology Resource - Current Gap
Personnel Background Investigation - Current Gap
Acceptable Use Policy - Current control is a full access control policy.
Software Control - Current control asks for support of security mechanisms that
provide data integrity, confidentiality and availability as well as an auditing
mechanism.
Malicious Software Control - Current control calls for anti-virus and anti-malware
installed on every workstation to mitigate the risk of data leakage.
Segregation of Duties - Current Gap
7. iii. Data Privacy Legal Requirements as per RFP’s Compliance
After reviewing the RFP’s current IT security policy framework, privacy data legal
requirements, and the security gap analysis the following security gaps that relate to
protecting privacy data have been identified along with the impact it could have on the
client’s organization and its importance.
Compliance with Legal Requirements - All State Government agencies must be
compliant with any State or Federal regulatory requirements which supersede
this policy document
Threat level very high - Could be subject to fines and/or lawsuits if found not in
compliance.
Applicable Legislation - All State Government agencies must be compliant with
any legislation enacted by the State Government in regards to the management
of information resources on behalf of the State.
Agencies must be in compliance with all legislation passed by the state
government.
iv. Data Protection and Privacy
All State Government agency data custodians must ensure that all “Personal
Information” data assets, as defined by applicable State and/or Federal law and
regulations are protected from unauthorized use, Modification, or disclosure.
Threat level very high would be subject to a large amount of torts if personal
information is stolen. - Data Breach and Disclosure Any State Government
agency that discovers a breach of the information security controls set forth in
this which results in disclosure of unencrypted “personal information” about
8. persons to unauthorized third parties shall provide notice of the disclosure in
accordance with State law, mandates, and acts. Threat level very high
Would be subject to a large amount of torts if personal information is
stolen.
v. Risk Assessment Project Plan Definition
The following project plan outlines conducting a qualitative risk analysis to
analyze identified risks, threats, and vulnerabilities with the requirements to implement
the risk analysis solution and mitigation recommendations.
Segmentation and Layered Security
Developers’ implement layered security technologies and configurations
based on role, risk, sensitivity, and access control rules.
Media Handling and Security
Auditing and enforcement to ensure that only licensed software is
installed on systems.
User Access Management
Management and employees to handle procedures such as new
account creation, account transfer, job profile changes, account
termination, and/or account deletion.
Network Access Control
Network designers to design a network that provides the ability to
segregate and control traffic between systems, connected devices, and
third parties based on role, risk, and sensitivity. Employees to keep the
network running.
9. vi. Risk Prioritization and Mitigation Project Plan Definition
After conducting the following review of the data security requirements, current
RFP technical description, and output from the qualitative risk assessment the following
project plan has been developed.
User Identification and Authorization - System in place to that requires the use of
a user ID and password that uniquely identifies the user before providing access
to protected information resources.
User Password Management - Guidelines developed which require user to
create and maintain passwords to protect against unauthorized access.
Segregation in Networks - Design a network that at a minimum has separate
public, demilitarized, and private security zones based on risk.
Data Protection and Privacy - Systems in place to ensure all personal information
is protected from unauthorized use, modification, or disclosure.
vii. Risk Mitigation Actions Based on Qualitative Risk Assessment’s Risk
Prioritization
The initial phase in information security is to cutoff client access. All state
government offices will create, archive, and keep up client get to and account
administration techniques. These systems might incorporate, yet are not constrained to,
new record creation, account exchange, and/or work profile changes and record end
and/or cancellation. Likewise, at least, client access to ensured data assets requires the
use of client distinguishing proof and secret key that exceptionally recognizes the client.
Sharing access qualifications proposed to verify and approve a solitary client between
10. any two or more people is denied. Finally, passwords allotted to clients must be made
and figured out how to ensure against unapproved revelation or utilization and must
meet the base Password prerequisites. The following stride in information insurance is
legitimate system access control. All endeavor system structures worked by, or in the
interest of, the state government might be intended to bolster, at any rate, separate
open, neutralized, and private security zones in view of part, hazard, and affectability.
Connecting between discrete security zones is entirely restricted. All entrance between
discrete security zones might be controlled by a security instrument designed to deny all
entrance of course unless unequivocally approved and affirmed by the security
administration group.
The last stride is to guarantee all administration organizations are in consistence with
the security strategy. All state organizations should likewise be in consistence with any
state or government administrative necessities that supersede the nearby approach.
This is to guarantee that all individual data information resources, as characterized by
pertinent state and/or government law and controls, are shielded from unapproved use,
change, or exposure.
III. Solution Design
i. Benefits of Our Recommendations
Below are a list of the of the IT security gaps that we have identified along with
the recommend mitigation action.
Application Control - Hire a procurement staff to keep track of licenses for
specific applications and purchased applications by the users.
11. User Privilege Control - Set up user groups to certain areas of the network and
limit what departments can see.
Operating System Access Controls - Remove administrative access from non-
power users in order to keep computers from damaging acts/virus installation.
Use of Shared Technology Resources - Time out settings through GPO to a
short period of time so that users cannot use each other’s profiles. Do not allow
users admin rights to see other profile folders.
Personnel Background Investigation - Use a third party background check
company to research potential employees.
Segregation of Duties - Management staff to congregate on the specific job
titles for the organizations personnel. This allows us to segregate access
control.
ii. Data Privacy Legal Requirements as per RFP’s Compliance
After conducting an IT security compliance and governance gap
analysis, the following gaps related to privacy data have been and a
mitigation control has been recommended
Compliance with Legal Requirements - Would have legal experts
review regulatory requirements and create a framework for auditors
and managers to ensure all regulatory requirements are being
followed/enforced.
Applicable Legislation- Would have legal experts review legislation
and create a framework for auditors and managers to ensure all
regulatory requirements are being followed/enforced.
Data Protection and Privacy- Would create standard operating
procedures for acceptable use of personal information, protecting it
unauthorized use, modification, or disclosure. Would empower
12. auditors and managers to ensure policies are being
followed/enforced.
Data Breach and Disclosure - Would train employees to provide
notices of disclosure to those individuals affected.
iii. Procedure to Conduct a Security Assessment and Risk
Identification
The following procedures, explanations, and actions have been developed
in order to conduct a security assessment for the workstation and
system/applications domains.
Workstation Domain
Educating and retraining of users of acceptable use. Educating and
constant training of the users will mitigate most of the risk
experienced the workstation domain. Users will know how to handle
specific situations that can potentially bring harm to the network.
Training the first week of a new employees training. Yearly training
with new threats.
Setting an auto lock policy when the user is away from the PC.This
mitigates the risk of others users seeing/tampering with data they are
not supposed to have access to. Create a GPO policy that will auto
lock the computer within a ten minute of non-use.
Securely deleting data from computers recycle bin. This mitigates the
risk of a user or hacker trying to find hidden data/erased data by
13. writing zeros over any data that has been deleted. Create a GPO
policy that will securely delete all files from the drive.
Securely dispose of computers and drives once the computer has
been deemed inactive. This mitigates data leakage by making sure
the drives have been removed and erased bit by bit. Buy tools to write
zeros over every bit on the drive to safely dispose of.
Installing antivirus on an enterprise level. This mitigates data leakage
and stops malicious software from destroying hardware. Enterprise
level antivirus that can be controlled from a server.
System/Application Domain
Patching servers, firewalls, and workstations.-This mitigates hackers
from using known vulnerabilities with server, firewall, and workstation
operating systems
Software to scan incoming/outgoing emails and server hardening.
The software will scan all incoming and outgoing emails for virus’s
and hidden data. Also removing any services not being used by email
servers. Installation of software like Iron Mail.
Protect database servers from attacks and server hardening. This
mitigates any attack on SQL servers. Also removing any services not
being used by email servers. Programming the cells to the exact type
of information needed.
Protect web servers from attacks and server hardening. Also
removing any services not being used by email servers.
14. Seal off firewalls ports that are not in use. This mitigates attackers
from using unused open ports to gain access to the network. Turn off
ports not being used by system servers/workstations.
iv. Data Security Mitigation Actions Based on Qualitative Risk
Assessment
The following plan aligns the tasks and deliverables for risk
assessment, analysis, and remediation with specific recommendations for
addressing the risks identified.
Segmentation and Layered Security -The State Government’s
operational environment shall support segmentation and layered
security technologies and configurations based on role, risk, and
sensitivity. Developers will implement layered security technologies
and configurations based on access control rules.
Media Handling and Security - Only licensed software procured
through the State Government contracts shall be installed in the
State’s environment. Auditors and managers will ensure that only
licensed software is installed on systems.
User Access Management- All State Government agencies shall
develop, document, and maintain user access and account
management procedures. Management and employees will handle
procedures such as new account creation, account transfer, job
profile changes, account termination, and/or account deletion.
15. Network Access Control - All access and connectivity to the State
Government’s network must comply with the State Government’s
security requirements for network interconnectivity. Network
designers will design a network that provides the ability to segregate
and control traffic between systems, connected devices, and third
parties based on role, risk, and sensitivity.
IV. Evaluation Design
i. Phased Project Approach and High-Level Project Plan Outline
We have develop a phased approach to the scope of work and built an outline for a
high-level project plan.
Definition of scope of analysis
Identification of the State's critical assets
Determination of the best analytical (qualitative/quantitative) base for an
evaluation
Identification of potential risks, threats, and vulnerabilities
Evaluation of the risk profile (risk, threat, & vulnerability assessment)
Risk remediation recommendations: short-term and long-term with cost
magnitude estimates Tasks.
Provide a narrative that illustrates the proposer's understanding of the state's
requirements and project schedule.
Provide a narrative that illustrates how the proposer will complete the scope of
services accomplish required objectives, and meet the state's project schedule.
Provide a narrative that illustrates how the proposer will manage the project,
ensure completion of the scope of services, and accomplish required objectives
within the state's project schedule.
Provide a narrative illustrating your methodology for conducting vulnerability
assessments and penetration tests.
Provide a narrative describing how you apply your vulnerability assessment and
penetration testing's methodologies in performing the services for customers.
Including: project management, incident and emergency procedures, etc.
Provide a narrative detailing the systems that you are able to assess for
vulnerabilities. Including but not limited to: operating systems, databases, and
infrastructure/networking.
16. Provide a narrative illustrating your methodology for reviewing code.
ii. High-Level Description of Current Client’s Need
The state has an immediate requirement for contractual support for technical security
consulting services for its information security program. The state is undertaking a
review of his entire system security program to include risk analysis/vulnerability
assessments of the system, assessment of the automated security program, security
awareness training, development and enhancement of security plans, continuity and
contingency planning, and infrastructure protection review.
Cyber-Link plans to tackle these requests head on. Our organization offers the security
assessments by top-level certified technicians. Our team also offers penetration testing.
Our team takes pride in our work and shows it through the care they provide.
iii. IT Security Compliance and Governance Gap Analysis Plan Outline
The following project plans identifies privacy data and related gaps and recommends a
mitigation action for each.
Segregation of Duties - Management staff to congregate on the specific job titles
for the organizations personnel. This allows us to segregate access control.
Personnel Background Investigation - Use a third party background check
company to research potential employees.
Use of Shared Technology Access Controls - Time out settings through GPO to a
short period of time so that users cannot use each other’s profiles. Do not allow
users admin rights to see other profile folders.
Operating System Access Controls - Remove administrative access from non-
power users in order to keep computers from damaging acts/virus installation.
User Privilege Control - Set up user groups to certain areas of the network and
limit what departments can see.
Application Control - A procurement staff to keep track of licenses for specific
applications.
iv. Compliance Project Plan Definition
We have developed a project plan that identifies gaps related to privacy data and
recommend mitigation actions for each gap outlined in the RFP regarding the current IT
policy framework description.
Data Breach and Disclosure - Workers trained to provide notices of disclosure to
those individuals affected.
Data Protection and Privacy - Policy writers to create standard operating
procedures for acceptable use of personal information, protecting it unauthorized
use, modification, or disclosure. Auditors and managers to ensure policies are
being followed / enforced.
17. Compliance with Legal Requirements - Lawyers and legislation subject matter
experts to review legislation. Auditors and managers to ensure regulatory
requirements are being followed / enforced.
Compliance with Legal Requirements - Lawyers and regulatory requirement
subject matter experts to review requirements. Auditors and managers to ensure
regulatory requirements are being followed / enforced.
v. Phased Project Approach and High-Level Project Plan Outline
We have develop a phased approach to the scope of work and built an outline
for a high-level project plan.
Definition of scope of analysis
Identification of the State's critical assets
Determination of the best analytical (qualitative/quantitative) base for an
evaluation
Identification of potential risks, threats, and vulnerabilities
Evaluation of the risk profile (risk, threat, & vulnerability assessment)
Risk remediation recommendations: short-term and long-term with cost
magnitude estimates Tasks.
Provide a narrative that illustrates the proposer's understanding of the
state's requirements and project schedule.
Provide a narrative that illustrates how the proposer will complete the
scope of services accomplish required objectives, and meet the state's
project schedule.
Provide a narrative illustrating your methodology for conducting
vulnerability assessments and penetration tests.
18. Provide a narrative describing how you apply your vulnerability
assessment and penetration testing's methodologies in performing the
services for customers. Including: project management, incident and
emergency procedures, etc.
Provide a narrative detailing the systems that you are able to assess for
vulnerabilities. Including but not limited to: operating systems,
databases, and infrastructure/networking.
Provide a narrative illustrating your methodology for reviewing code.
Provide a narrative that illustrates how the proposer will manage the
project, ensure completion of the scope of services, and accomplish
required objectives within the state's project schedule.
Provide a narrative illustrating your methodology for conducting
vulnerability assessments and penetration tests.
Provide a narrative describing how you apply your vulnerability
assessment and penetration testing's methodologies in performing the
services for customers. Including: project management, incident and
emergency procedures, etc.
Provide a narrative detailing the systems that you are able to assess for
vulnerabilities. Including but not limited to: operating systems,
databases, and infrastructure/networking.
Provide a narrative illustrating your methodology for reviewing code.
19. vi. High-Level Description of Current Client’s Need
The state has a quick prerequisite for legally binding backing for specialized
security counseling administrations for its data security program. The state is
embraced a survey of his whole framework security project to incorporate danger
investigation/weakness appraisals of the framework, evaluation of the
computerized security program, security mindfulness preparing, advancement and
improvement of security arrangements, congruity and possibility arranging, and
foundation insurance audit.
Telecon Security Services Inc. plans to tackle these requests head on. Our
organization offers the security assessments by top-level certified technicians. Our
team also offers penetration testing. Our team takes pride in our work and shows it
through the care they provide.
vii. I.T Security Compliance and Governance Gap Analysis Plan Outline
The following project plans identifies privacy data and related gaps and
recommends a mitigation action for each.
Segregation of Duties - Management staff to congregate on the specific job
titles for the organizations personnel. This allows us to segregate access
control.
Personnel Background Investigation - Use a third party background check
company to research potential employees.
Use of Shared Technology Access Controls - Time out settings through
GPO to a short period of time so that users cannot use each other’s profiles.
20. Do not allow users admin rights to see other profile folders. Operating
System Access Controls Remove administrative access from non-power
users in order to keep computers from damaging acts/virus installation.
viii. Compliance Project Plan Definition
We have developed a project plan that identifies gaps related to privacy
data and recommend mitigation actions for each gap outlined in the RFP regarding
the current IT policy framework description.
Data Breach and Disclosure - Workers trained to provide notices of
disclosure to those individuals affected.
Data Protection and Privacy - Policy writers to create standard operating
procedures for acceptable use of personal information, protecting it
unauthorized use, modification, or disclosure. Auditors and managers to
ensure policies are being followed/enforced.
Compliance with Legal Requirements - Lawyers and legislation subject
matter experts to review legislation. Auditors and managers to ensure
regulatory requirements are being followed/enforced.
Compliance with Legal Requirements - Lawyers and regulatory requirement
subject matter experts to review requirements. Auditors and managers to
ensure regulatory requirements are being followed/enforced.
ix. Disaster Recovery Plan Outline
Our Business Continuity services offer the following to keep your company
prepared for a wide range of emergency situations:
21. Ready For Any Emergency.
Telecon Security Services Inc. prepares your company for any disaster that
could affect your IT infrastructure, whether it is a natural occurrence, cybercrime,
power outages or human error.
Proactive Planning.
By developing effective policies and procedures, we can help you and your
staff operate effectively and efficiently in the case that your business is affected by
an emergency of any kind.
Reliable Backups.
Telecon Security Services Inc keeps your data up to date, secure, and
stored both locally onsite and virtually through the Cloud. This technology protects
your business from data loss and ensures that in the event of a natural disaster
you can continue to access your systems and files.
Regularly Tested Systems.
By testing the backup systems on a regular basis, we can ensure they are
ready for use at the moment they are needed. With each step New Orleans
business owner’s takes in becoming a more developed and profitable operation,
you need to be sure that your IT systems can support its growth. Arranging one-off
consultations with IT companies is inconvenient and expensive, but without the
right knowledge, your technology may fail to meet the requirements of the next
stage of business grow.
22. In any recuperation arrangement there will be a wide exhibit of catastrophe
potential outcomes and recuperation methods to consider. To pare the issue
down, in this way, preparatory suppositions are produced as rules. For the
recuperation push to be effective, all included staff are required to guarantee that
these suspicions are present and right. Supervisors will keep all work force
influenced by this arrangement mindful of its present systems and practices. All
staff influenced by this arrangement is in charge of comprehension their part under
a catastrophe circumstance. This arrangement will be constantly kept up. The
recuperation procedure archived in the arrangement ought to be tried yearly. All
staff must respond rapidly and viably amid the recuperation procedure. Calamity
Recovery must be fruitful if there is an underlying reinforcement of static segments
including the framework programming, restrictive bundles, projects, and
information, and a standard reinforcement, in any event day by day, of all
progressions and alteration of these electronic parts, and there is a general testing
of equipment and correspondences reinforcement offices.
This arrangement ought to be overhauled every year and ought to
dependably be promptly accessible to approved work force. Destinations ought to
be looked into and upgraded by administration on a yearly premise. The Disaster
Recovery Plan may require redesigns if issues or changes incorporate a few or
any of the accompanying: Mainframe and Mid-Range Disaster Recovery Test
results, new basic applications or basic clients, expanded application intricacy,
new gear acquisitions, and/or changes to: equipment, programming, system,
applications, and/or information. Things to be inspected for Plan overhaul ought to
23. include: Personnel changes, mission changes, need changes, New Business
Organizations, Mainframe and Mid-range Disaster Recovery Test strategies and
results, reinforcement techniques, recuperation methodology, Relocation/Migration
Plan, programming (working framework, utilities, application programs), equipment
(centralized server, mid-extent and peripherals), and Communications Network
Facilities DRP typical systems. Include creating, recording, executing and testing
the Disaster Recovery Plan. The state government will have the capacity to
reestablish the accessibility of basic applications in an opportune and sorted out
way taking after a fiasco event. With a specific end goal to perform these
destinations, the innovation zone will rely on upon backing from senior
administration, end clients and staff offices.
Testing the arrangement is intended to prepare the faculty who will be in
charge of executing the Disaster Recovery Plan. IT-related crises can strike
whenever, whether they are malware assaults, regular fiascos or framework
crashes. It's crucial to have an arrangement set up to ensure your business can
keep inefficient downtime to a base. Consistently that your frameworks are down
costs you all the more, so make sure to set up your business for most noticeably
awful by arranging ahead!
In case of a pronounced debacle, key work force will make prompt move to
caution the Disaster Recovery Center. Rebuilding of the Critical Coverage will be
given after a Disaster is pronounced and after turnover of the catastrophe
recuperation reinforcement site. It will incorporate, without impediment, the
accompanying: Delivery of the Authorized User Data and Software documented in
24. off-site stockpiling to the Disaster Recovery Center, Connecting Network lines to
the Disaster Recovery Center, Operating the Critical Applications on the
Configuration at the Disaster Recovery Center, Provide Critical Coverage at the
Disaster Recovery Center, and Provide workspace and required gear.
Recuperation exercises will be directed in a staged methodology. The
accentuation will be to recuperate the basic applications adequately and
effectively. Basic applications will be recouped over a timeframe after server farm
enactment.
x. Business Continuity Plan Outline
Purpose – This Business Continuity Plan (BCP) will be updated in response
to changes in the business environment. The state of Georgia will review the plan
at least annually. This document outlines the steps required to operate the state of
Georgia in the event of an unanticipated interruption of normal operations. This
document will articulate the triggers for when alternate business processes need
to be deployed, the steps to deploy alternate business processes, the methods for
verifying that business has been properly restored and ensuring data integrity, and
activities for returning to “normal” business processing.
Scope – This BCP is applicable for the IT Department of this RFP.
Assumptions – The plan will be implemented if systems are unavailable for
48 hours.
Facilities will provide temporary space for critical staff
IT will provide technical assistance for temporary location
Telecommunications will have phone lines available in temporary
25. location
Equipment can be rented or otherwise acquired as needed
IT can restore files from the latest off-site backups
Critical Business Functions:
Accounting
Human Resources
Administration
Information Services
Purchasing
Risks to Operation and Strategies to Address Risk
Natural Risks:
High Winds/Tornados: Have backup sites spread through the state in
order to keep the network up and running.
Lightening: Have backup generators ready to give the building power.
Flooding: Keep essential equipment on 2nd floor and above.
Fire: Install fire suppression systems and fireproof drywall to protect
important assets.
Intentional Acts:
Theft: Install camera systems within the office. Encrypt any machine
that goes off site.
Cyber Attack: Server hardening, patching of all network assets,
firewall hardening.
Malware: keep anti-virus up to date to mitigate this risk.
27. v. Executive Summary
i. Layered Security Solution Executive Summary
To guarantee the security of business-basic data, it is vital to build up a multi-
layered technique to address the dangers. Associations center their cautious
controls at the border in the conviction that this makes it troublesome for
assailants to enter frameworks. Be that as it may, once this edge is ruptured, the
assailants have moderately free rule inside the system. Solidified, border guards
alone likewise neglect to deal with the danger from interior sources. Associations
need to build up a multilayered security procedure that spotlights on the
classification, honesty and accessibility of the data being ensured. A multi-layered
way to deal with security guarantees that on the off chance that one layer falls flat
or is bargained; different layers will remunerate and keep up the security of that
data. Thus, each of these layers ought to have various controls sent to protect the
secrecy, respectability and accessibility of the data. Some of these more basic
controls incorporate framework setup solidifying, record uprightness observing,
and log administration.
You deserve the best in IT support, and that only comes from those who work with the best themselves!
Telecon Security Services Inc has the best strategic partners in the business, so to learn more about what we
can do for your New Orleans business, call us at (504) 848-0571 or email us
at info@teleconsecurity.com today.